Jump to content
msherwood

Malwarebytes and Microsoft Security Essentials conflicts

Recommended Posts

We're hearing reports of conflicts between Malwarebytes Anti-Malware and / or Malwarebytes Anti-Exploit and Microsoft Security Essentials (MSE) or Microsoft System Center Endpoint Protection (SCEP). We have created a KB article to help resolve this conflict: https://support.malwarebytes.com/customer/portal/articles/2650097--malwarebytes-and-microsoft-security-essentials-conflicts?b_id=6442

If needed, a copy of the KB article's solution steps are included below.

Solution:

Spoiler
Issue: Malwarebytes Anti-Malware (MBAM) 1.x + Microsoft Security Essentials/System Center Endpoint Protection causing lockup after Security Essentials update
 
Affected Products:
  • Malwarebytes Anti-Malware 1.80
  • Malwarebytes Anti-Malware 1.75
 
Affected Microsoft Antivirus Products:
  • Microsoft Security Essentials (MSE)
  • Microsoft System Center Endpoint Protection (SCEP)
 
 
Initial Findings: The lockup was introduced when MSE and SCEP virus definitions were updated to versions 1.233.56.0 and onwards.  After this update, MSE/SCEP seems to lock up when scanning certain system files that is also triggering MBAM to scan the said files.
 
Solution: Adding the following files as both Excluded Files and Excluded Processes inside of your affected Microsoft Antivirus Product:
  • If your computer is responsive, complete steps 1-8
  • If your computer is unresponsive, wait 10-15 minutes for it to become responsive and then complete steps 1-8
  • If after waiting 10-15 minutes and your computer is still unresponsive, boot to Safe Mode and complete steps 1, 3-6 and then 8

Alternatively, you can immediately boot into Safe Mode and complete steps 1, 3-6 and then 8.

  1. Open MSE/SCEP
  2. Disable Real-Time Protection: Settings -> Real-Time Protection
  3. Exclude files: Settings -> Excluded files and locations and add all the files below
    1. Note: make sure to use the full path to the file
  4. Click Save Changes
  5. Exclude processes: Settings -> Excluded processes and add all the files below
    1. Note: make sure to use the full path to the file
  6. Click Save Changes
  7. Re-Enable Real-Time Protection: Settings -> Real-Time Protection
  8. Reboot computer into Normal Mode

It is best to copy/paste the exclusions when adding them. We have seen issues when using the short filename convention and/or environment variables (%programfiles% mapping to “C:\Program Files\” instead of “C:\Program Files (x86)\” or vice versa).

If you’re copying all exclusions at once, be sure to include the required semicolon after each entry.
 

Managed client:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamdor.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe
  • C:\Program Files\Malwarebytes' Managed Client\SCComm.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamdor.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe
  • C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe

Standalone Malwarebytes Anti-Malware client:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamdor.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamapi.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamdor.exe

Standalone Malwarebytes Anti-Exploit client:

  • C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

 

Edited by AlexSmith
Added updated instructions aand KB article link.

Share this post


Link to post
Share on other sites

We are having massive issues right now with this at one of our clients.

We have 120+ PC's with Malwarebytes Business on them, Got reports this morning that several machines were locking up.
The issue spread like a wild fire through the business. We have spent the entire day trying to narrow the issue down because it also seems to have something to do with an MS Office 365 update.
On some machines we are able to disable MBB (Malwarebytes Business) let the MS Office update finish running and then turn MBB back on with no issues.
However on many of the PC's we are unable to turn MBB back on at all or it crashes and locks up the entire PC.

We are also running MSSE MS Security Essentials.
I opened a tag with MB Support just now...

We need answers QUICK! This is a large business and this has ground them to a halt today!!!
~Steve~

 

Share this post


Link to post
Share on other sites
40 minutes ago, SteveRies said:

We are having massive issues right now with this at one of our clients.

We have 120+ PC's with Malwarebytes Business on them, Got reports this morning that several machines were locking up.
The issue spread like a wild fire through the business. We have spent the entire day trying to narrow the issue down because it also seems to have something to do with an MS Office 365 update.
On some machines we are able to disable MBB (Malwarebytes Business) let the MS Office update finish running and then turn MBB back on with no issues.
However on many of the PC's we are unable to turn MBB back on at all or it crashes and locks up the entire PC.

We are also running MSSE MS Security Essentials.
I opened a tag with MB Support just now...

We need answers QUICK! This is a large business and this has ground them to a halt today!!!
~Steve~

 

Thanks for sharing your details. We are still trying to track this down. We also have a line open with Microsoft and we're actively discussing it with them.

Share this post


Link to post
Share on other sites

Mike - our organization is also having this issue.

Please let me know what we can do to help. We are running Windows 7 SP1 x64 machines with Microsoft Endpoint Protection managed via SCCM 2012. For some of the machines, disabling Microsoft's real-time scanning resolved the issue. On others, we have had to disable Anti-Exploit to get this working again.

 

Would it help to open a support case? or is this the best place to get further updates? Let me know if I can provide any information.

Thanks,

Share this post


Link to post
Share on other sites

Having similar issues that other have reported. Running Windows 7 Pro, MSE, & MBAM Pro paid version 1.75.0.1300. Window updates done on 11-15-16 without issue. Updated MBAM and MSE this morning. Problems surfaced during reboot of windows.

PC nearly inoperable with difficulties booting into windows (hanging at the welcome screen) and once at desktop OS was non-responsive. Example when right clicking on desktop icon it took 3-5 minutes for menu to open.  OS became fully operable after disabling active protections of MBAM.

Once OS was stable, did some testing, using deep freeze program. Also running MBAE, but enabling MBAE application alone does not cause any issues. OS was stable until I enable MBAM filesystem protection and attempt to run MSE scan. I suspect rebooting windows would also present issues based on earlier experience. Unable to retest. Planning to not use affected PC, until issues resolved.

Share this post


Link to post
Share on other sites
Just now, goatmale said:

Mike - our organization is also having this issue.

Please let me know what we can do to help. We are running Windows 7 SP1 x64 machines with Microsoft Endpoint Protection managed via SCCM 2012. For some of the machines, disabling Microsoft's real-time scanning resolved the issue. On others, we have had to disable Anti-Exploit to get this working again.

 

Would it help to open a support case? or is this the best place to get further updates? Let me know if I can provide any information.

Thanks,

Really appreciate your offer, @goatmale. No need to open a support case (unless you want to). We'll be posting our updates here.

 

6 minutes ago, sueska_mb said:

Having similar issues that other have reported. Running Windows 7 Pro, MSE, & MBAM Pro paid version 1.75.0.1300. Window updates done on 11-15-16 without issue. Updated MBAM and MSE this morning. Problems surfaced during reboot of windows.

PC nearly inoperable with difficulties booting into windows (hanging at the welcome screen) and once at desktop OS was non-responsive. Example when right clicking on desktop icon it took 3-5 minutes for menu to open.  OS became fully operable after disabling active protections of MBAM.

Once OS was stable, did some testing, using deep freeze program. Also running MBAE, but enabling MBAE application alone does not cause any issues. OS was stable until I enable MBAM filesystem protection and attempt to run MSE scan. I suspect rebooting windows would also present issues based on earlier experience. Unable to retest. Planning to not use affected PC, until issues resolved.

Thanks for sharing, @sueska_mb.

Share this post


Link to post
Share on other sites

We can just now confirm a workaround is disabling Microsoft Security Essentials' real-time scanning (in normal or safe mode). We're still troubleshooting and will provide updates here as we learn more.

Share this post


Link to post
Share on other sites

I got the slowdown this morning, when I updated MSE definitions (new series: 1.233.51.0) and ran a threat scan on MBAM. Normally, it takes 18 minutes or so, but it was running over 40. MSE is running more or less at its normal speed, but I'm also seeing slowdowns in browsing. A custom scan (with rootkit check) normally takes 2 hours, but this afternoon, I aborted the scan at almost 4 hours. I have it running, and it's bog slow; maybe halfway through the files at 2.5 hours.

Haven't tried disabling MSE just yet...

Share this post


Link to post
Share on other sites

Forgot to mention: Windows 7 Home premium. I have not applied the November Security-only updates; for October, I did the Security-only update from the MS update catalog.

Share this post


Link to post
Share on other sites

It only seems to be Windows 7 (64 bit? unconfirmed, but all ours were) effected, we did not get any calls from clients with Windows 10 and MBAM complaining.

It happens after MSE updates to the latest definition. PC must have MBAM installed, in our case it is MBAM Business.

It slows down and eventually locks up the PC. It appears to be a memory leak type issue, and/or a CPU utilization, or some other OS resource exhaustion. The PC eventually becomes unusable and unresponsive. You can see many event log messages with "fault bucket" and talking about the MSE process. Perhaps MBAM is killing or disrupting the MSE scanning?

Booting into safe mode (or before the PC crashes) and disabling MSE real time scanning works around the issue. As does removing MBAM. It is definitely a conflict between the two.

Share this post


Link to post
Share on other sites
5 hours ago, msherwood said:

We can just now confirm a workaround is disabling Microsoft Security Essentials' real-time scanning (in normal or safe mode). We're still troubleshooting and will provide updates here as we learn more.

We did this - I have had reports that this doesn't work - users are still experiencing issues until Malware Bytes Anti-Exploit is disabled. Just wanted to share our experience.

Share this post


Link to post
Share on other sites
13 hours ago, RedCountyPete said:

I got the slowdown this morning, when I updated MSE definitions (new series: 1.233.51.0) and ran a threat scan on MBAM. Normally, it takes 18 minutes or so, but it was running over 40. MSE is running more or less at its normal speed, but I'm also seeing slowdowns in browsing. A custom scan (with rootkit check) normally takes 2 hours, but this afternoon, I aborted the scan at almost 4 hours. I have it running, and it's bog slow; maybe halfway through the files at 2.5 hours.

Haven't tried disabling MSE just yet...

Were you able to try disabling real-time scanning in MSE and did that work for you?

 

12 hours ago, itlifesaver said:

It only seems to be Windows 7 (64 bit? unconfirmed, but all ours were) effected, we did not get any calls from clients with Windows 10 and MBAM complaining.

It happens after MSE updates to the latest definition. PC must have MBAM installed, in our case it is MBAM Business.

It slows down and eventually locks up the PC. It appears to be a memory leak type issue, and/or a CPU utilization, or some other OS resource exhaustion. The PC eventually becomes unusable and unresponsive. You can see many event log messages with "fault bucket" and talking about the MSE process. Perhaps MBAM is killing or disrupting the MSE scanning?

Booting into safe mode (or before the PC crashes) and disabling MSE real time scanning works around the issue. As does removing MBAM. It is definitely a conflict between the two.

Thanks for sharing and confirming the workaround.

 

9 hours ago, goatmale said:

We did this - I have had reports that this doesn't work - users are still experiencing issues until Malware Bytes Anti-Exploit is disabled. Just wanted to share our experience.

To confirm, are you saying you had to disable real-time scanning in MSE and disable MBAE on all machines or just some where disabling real-time scanning in MSE didn't work?

 

52 minutes ago, Lygoldstein said:

Any updates I have hundreds of users down.  Would like to have this resolved before Monday!!

Have you tried our suggested workaround of disabling real-time scanning in MSE?

Share this post


Link to post
Share on other sites

We have no new updates at this time. Our suggested workaround is still disabling real-time scanning in MSE.

Share this post


Link to post
Share on other sites

I'm trying an MBAM scan on the laptop; it's a secondary machine running the free MBAM. So far, it looks reasonably fast on a custom scan.

On the main machine, I have the standard non-business license. Is it reasonably safe to rely on MBAM's realtime screening and to leave MSE realtime off?

Share this post


Link to post
Share on other sites

Disabling realtime scanning is not really an acceptable option and increases our risk.  The whole purpose of having two solutions is for the added protection.

Share this post


Link to post
Share on other sites

Hi Everyone,

We followed the following guide to add MBAM as an excluded process for Microsoft System Center Endpoint Protection and it seems like it has fixed the issue. This way you don't have to disable realtime scanning.

https://support.malwarebytes.com/customer/portal/articles/1986791-what-exclusions-should-i-add-for-my-antivirus-when-using-malwarebytes-endpoint-secuirty-?b_id=6520

Thanks

Share this post


Link to post
Share on other sites

The implementation of the following Malwarebytes recommendations for AV software process scanning exclusions contained within the following post seems to have addressed our issues.  Can anyone else confirm the same?  - https://support.malwarebytes.com/customer/portal/articles/1986791-what-exclusions-should-i-add-for-my-antivirus-when-using-malwarebytes-endpoint-secuirty-?b_id=6520
 

Share this post


Link to post
Share on other sites

This is affecting our (large) organization greatly.  Many of our users were interrupted throughout Friday, lots of lost work, and 1/3 of the IT staff pulled out of support roles to work on a root cause with no call-backs or response from MB. to submitted ticket(s), etc.  Users continue to lose work and the fact that the workaround is to disable Endpoint realtime scanning is a terrible idea.  How about specific exclusions we can add to endpoint?  How about calling back the customers who leave voicemails/open tickets?  Based on this forum it's only 6 calls that would help MB to retain customers.  Here is what would help us customers the most:

1. Acknowledge the issue and who is at fault - done, it's a Malwarebytes problem, not Microsoft

2. Communicate with the customer - sort of -- in a forum?

3. Provide an eta to a real fix with regular updates to manage our expectations--we have to answer to Management.


Thank you for your help and please, please keep providing updates and developments within this forum as this appears to be the only mode of support.  There's rumors out there that say we should exclude certain Malwarebytes files.  Is this valid and are you testing that?

Share this post


Link to post
Share on other sites

we have a large client 125 users or so that this has taken them done completely all day yesterday.  Not to mention having 3 staff onsite attempting to figure out what the problem was/is.  This really is unacceptable, we have to answer to management.  What is this going to be fixed?  How do you even begin compensating clients that have over $100,000 dollars lost in productivity?  

Share this post


Link to post
Share on other sites

I tried the exclusion set in MSE as recommended by vchhuor and bstephens, and it's working on my main machine. A threat scan ran in the normal timeframe (it was over 40 minutes yesterday morning, now 17 as in the past). Will apply this to MSE in the laptop.

Share this post


Link to post
Share on other sites
1 hour ago, Lygoldstein said:

Disabling realtime scanning is not really an acceptable option and increases our risk.  The whole purpose of having two solutions is for the added protection.

As a long-term solve, we agree. This suggestion is only a workaround for right now.

 

57 minutes ago, vchhuor said:

Hi Everyone,

We followed the following guide to add MBAM as an excluded process for Microsoft System Center Endpoint Protection and it seems like it has fixed the issue. This way you don't have to disable realtime scanning.

https://support.malwarebytes.com/customer/portal/articles/1986791-what-exclusions-should-i-add-for-my-antivirus-when-using-malwarebytes-endpoint-secuirty-?b_id=6520

Thanks

Thank you for sharing.

 

48 minutes ago, Limon said:

This is affecting our (large) organization greatly.  Many of our users were interrupted throughout Friday, lots of lost work, and 1/3 of the IT staff pulled out of support roles to work on a root cause with no call-backs or response from MB. to submitted ticket(s), etc.  Users continue to lose work and the fact that the workaround is to disable Endpoint realtime scanning is a terrible idea.  How about specific exclusions we can add to endpoint?  How about calling back the customers who leave voicemails/open tickets?  Based on this forum it's only 6 calls that would help MB to retain customers.  Here is what would help us customers the most:

1. Acknowledge the issue and who is at fault - done, it's a Malwarebytes problem, not Microsoft

2. Communicate with the customer - sort of -- in a forum?

3. Provide an eta to a real fix with regular updates to manage our expectations--we have to answer to Management.


Thank you for your help and please, please keep providing updates and developments within this forum as this appears to be the only mode of support.  There's rumors out there that say we should exclude certain Malwarebytes files.  Is this valid and are you testing that?

We are still actively investigating the root cause.

Share this post


Link to post
Share on other sites
5 minutes ago, RedCountyPete said:

I tried the exclusion set in MSE as recommended by vchhuor and bstephens, and it's working on my main machine. A threat scan ran in the normal timeframe (it was over 40 minutes yesterday morning, now 17 as in the past). Will apply this to MSE in the laptop.

Thanks for trying and letting us know. We'll update again when we know more.

Share this post


Link to post
Share on other sites

We can now confirm that excluding "c:\program files\microsoft security client" from MBAM 1.8 works. We are continuing to actively investigate.

Share this post


Link to post
Share on other sites

neither fix has worked for us.  I added the exclusions to SCEP and MBAM.  SCEP locks the system up when running a quick scan. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.